\subsection{User interface}
\label{sec:design_user}

%TODO:  Break out details of how a user creates, modifies, and checks a file.  Like a workflow.
%open file $\rightarrow$ get handle $\rightarrow$ call trust_file() or trust_path() to test the canonicalized path

Our user interface consists of four functions: $get\_history()$, $trust\_file()$, $trust\_directory()$, $trust\_tree()$, $trust\_path()$.  Together these provide the mechanism to check the entire modification history of the file, or to check if the file is trusted under some access policy.  The $trust$ functions respectively check the file, all of the contents of a directory, or the recursive contents of a directory.  The final function, $trust\_path()$, canonicalizes the path to the file and verifies every directory on the entire canonical path to the file.

This interface provides the mechanism to say when and by whom this file was modified and whether or not to trust it.  Probably the most useful aspect of this interface is that it can use file descriptors for open files, so that race conditions are avoided.

